I have a PSGI/Plack application hosted behind a reverse https proxy. Visitors are authenticated with client certificates. I use websockets to pass data (say, the output of "tail -f " to the browser asynchronously. The application works fine when accessed directly, but not when accessed via the reverse https proxy. Is there some way to use client certificate authentication for websockets?
There are 2 options:
Have the reverse proxy terminate the TLS, do the client cert based auth and forward unencrypted traffic to the WebSocket server behind
Have the reverse proxy forward the TLS untouched to the WebSocket server
With 2., you will need a WebSocket server that implements TLS and client-cert based authentication.
Here is a TLS-enabled WebSocket server example based on Autobahn (Python/Twisted-based):
You can add client-cert auth following the examples here:
Disclaimer: I am author of Autobahn and work for Tavendo.